Strange files in cmsAdmin

11 posts by 3 authors in: Forums > CMS Builder
Last Post: November 9, 2009   (RSS)

Re: [gkornbluth] Strange files in cmsAdmin

By Dave - November 4, 2009

Hi Jerry,

The cmsb code assumes everything in those directories needs to be writable, but those files aren't ours.

If you come across any others could you send me a copy so I can examine it? I'd recommend checking through the other directories to make sure nothing else is going on.

Let me know what you find out.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Strange files in cmsAdmin

By gkornbluth - November 4, 2009 - edited: November 7, 2009

Dave,

Thanks for getting back to me.

I've attached one of the files. I've also contacted my web host to see if they know anything about these.

You can delete this post if you want to.

Best,

Jerry
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Attachments:

16855.php 2K

Re: [gkornbluth] Strange files in cmsAdmin

By Dave - November 4, 2009

Hi Jerry,

Looks like the server may have been hacked. What that file does is connect to rssnews.ws ([url http://www.google.ca/search?q="rssnews.ws"]google[/url]) download some code and run it.

It's not fun to clean up but we hear about a couple of these a month. CMSB isn't the entry point. It's usually an open source forum, or email form, or something like that.

I'd recommend starting with a full FTP backup, then MySQL backup. Then go through everything.

Hope that helps! That's too bad that happened. At least CMSB warned you about it (all be it inadvertently).
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Strange files in cmsAdmin

Thanks Dave
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Strange files in cmsAdmin

By gkornbluth - November 7, 2009 - edited: November 7, 2009

Hi Dave,

I checked with my webhost and they agree with your assessment.

They also feel that a permission of 777 on the CMSB upload and data directories, as suggested in the "upload instructions (READ FIRST).txt" file, creates potential security issues.

Is there a lower "writable" permission that would allow CMSB to function and that would offer a higher degree of security.

Thanks,

Jerry
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Strange files in cmsAdmin

By Dave - November 7, 2009

Hi Jerry,

Sometimes there is. It depends how everything is setup on the host. If PHP runs as the lowest security account called 'nobody' on the unix system then you need to set it to 777. Try setting it to 755 (the most restrictive) and see if that works, if not try 775, or if not 777. Those will allow the user, users in the same group, and public (any user on the system) to write to the file, respectively.

In general, though it won't make a big difference in this case because all the web apps on a site usually run as the same user, so if CMSB can update it's data files or directories then so can any other web app on the site.

There may be some other benefits from it, though. And it's certainly wouldn't hurt anything (as long as you test it works after changing the permissions).
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Strange files in cmsAdmin

Good to know.

What are some of the things that "might not work" in CMSB with 755 to look out for?

Jerry
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Strange files in cmsAdmin

By avrom - November 7, 2009

Hi Jerry,

I have also noticed an increase in server and phishing attacks over the last couple of weeks, and one of my clients was also hacked (not CMS Builder).

The problem may be more related to FTP. Since a hacker has your login info, changing file persmissions won't do too much at that point. Ask your webhost to use SFTP (Secured FTP) for your site, that way login info can't be scanned by hackers.

Cheers
Avrom

Re: [gkornbluth] Strange files in cmsAdmin

By Dave - November 9, 2009

Hi Jerry,

>What are some of the things that "might not work" in CMSB with 755 to look out for?

Basically, if you change permissions on /data/settings.dat.php and then you can update: Admin > General > Program Name it means everything works.

My only other advice would be to not use dictionary words for passwords (add a number and special character !@# for added security).

Our site is constantly being scanned for vulnerable scripts. It adds thousands of lines to our 404 log.
Dave Edis - Senior Developer
interactivetools.com